This article covers the two ways you can disallow external storage access on macOS devices.
The first for macOS 26 and newer uses the Declaration Configuration Object that allows the selection of allowed, disallowed (no read or write access), and read-only, and it will then be enforced on the device. This can be applied to local drives via USB or Thunderbolt, and also network attached SMB mounted drives.
The second for macOS 15 and older involves creating a Smart Software item that will force disable external drives on your Macs. The following solution will generate a bash script and property list that form the LaunchDaemon that runs in the background, blocking any USB drives from mounting on a Mac. This will NOT apply to Network Storage like the macOS 26 and newer path will.
macOS 26 and newer - Disk Management via Declaration
Navigate to Catalog -> Device Settings -> Disk Management
In the Disk Management Declaration, you can configure the Restrictions key value, and in that value, you will be able to include the restriction to be applied to local drives via USB or Thunderbolt, and also network attached SMB mounted drives.
macOS 15 and older - Creating Smart Software
- On the left sidebar, navigate to the Catalog > Software > New.
- Name your Smart Software.
- In the Installation Command field, copy and paste the following script:
IFS=$'\n'
cat << "EOF" > "/Library/Addigy/unmount_all_external_drives.sh"
#!/bin/bash
#Function to eject externally connected drives
eject_drive() {
local disk=$1
echo "Ejecting $disk"
diskutil eject "$disk" >/dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$disk has been ejected"
else
echo "Unable to eject $disk"
fi
}
external_drives=$(diskutil list | grep external | awk '{print $1}')
if [ ! -z "$external_drives" ]; then
echo "External drive(s) detected:"
echo "$external_drives"
# Eject each detected external disk
for disk in $external_drives; do
eject_drive "$disk"
done
fi
EOF
cat << "EOF" > /Library/LaunchDaemons/com.addigy.agent-unmount.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.addigy.agent-unmount</string>
<key>UserName</key>
<string>root</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Addigy/unmount_all_external_drives.sh</string>
</array>
<key>StartOnMount</key><true/>
<key>StartInterval</key><integer>60</integer>
<key>StandardOutPath</key><string>/Library/Addigy/usb_unmount.log</string>
<key>StandardErrorPath</key><string>/Library/Addigy/usb_unmount.log</string>
<key>ProcessType</key><string>Background</string>
<key>LowPriorityBackgroundIO</key><true/>
<key>LowPriorityIO</key><true/>
</dict>
</plist>
EOF
chown root:wheel /Library/LaunchDaemons/com.addigy.agent-unmount.plist
chmod 644 /Library/LaunchDaemons/com.addigy.agent-unmount.plist
chmod 774 /Library/Addigy/unmount_all_external_drives.sh
launchctl bootstrap system /Library/LaunchDaemons/com.addigy.agent-unmount.plist- In the Conditions for Install field, click on the Advanced: Custom Conditional Commands text in blue. Copy and paste the following script into the blank field:
if launchctl list | grep -q "com.addigy.agent-unmount"; then echo "Unmount USB External Drives already running" exit 1 fi exit 0
- In the Removal Command field, copy and paste the following script:
launchctl unload "/Library/LaunchDaemons/com.addigy.agent-unmount.plist" if launchctl remove com.addigy.agent-unmount; then echo "Daemon Removed" fi if rm -rf "/Library/LaunchDaemons/com.addigy.agent-unmount.plist"; then echo "Daemon plist file removed from /Library/LaunchDaemons" fi if rm -rf "/Library/Addigy/unmount_all_external_drives.sh"; then echo "USB Unmount Files Removed" fi
- Save the Smart Software.
- Deploy the Smart Software to a policy or policies (we recommend testing on a single device prior to deployment).